-
ShinyHunters launched a “pay or leak” extortion campaign against the University of Nottingham in June 2026, publishing tens of gigabytes of stolen data online after the university did not comply.
-
The breach exposed 455,000 email addresses alongside passport numbers, financial records, ethnicities, and disability information belonging to both current students and alumni.
-
The university pulled affected systems offline immediately and is now cooperating with Action Fraud and the Information Commissioner’s Office.
ShinyHunters, the hacker group behind some of the most damaging data thefts in recent memory, has claimed another major victim. The University of Nottingham confirmed in June 2026 that the group breached its systems and published a massive volume of student and alumni data publicly online.
Hackers accessed the university’s Campus Solutions record system and pushed tens of gigabytes of stolen data onto public forums.
The breach exposed 455,000 unique email addresses. It also contained names, postal addresses, phone numbers, passport numbers, dates of birth, ethnicities, disabilities, IP addresses, usernames, and records tied to academic enrolments and fee payments.
Nearly half of those exposed email addresses had already surfaced in earlier breach databases.
ShinyHunters Runs “Pay or Leak” Campaign at the University
ShinyHunters did not steal the data quietly. The group ran a “pay or leak” extortion campaign, demanding payment before threatening to release everything publicly. The university did not comply, and the attackers followed through.
Similar extortion tactics are being used elsewhere. A ransomware group claims to have stolen 650GB of data from Inha University in South Korea, highlighting a troubling trend of cybercriminals targeting higher education.
Jason Carter, the university’s chief governance and risk officer, wrote directly to affected students and alumni to explain what happened. According to Carter, the group responsible had a documented history of targeting other organisations before setting its sights on Nottingham.
The university spotted the unauthorised activity on Tuesday, and staff pulled the affected systems offline immediately to contain the damage and launch a full investigation.
The university contacted all affected individuals directly. In a public statement, it apologised to those impacted for the stress and concern the incident had caused.
According to the institution, it is actively cooperating with Action Fraud, the Information Commissioner’s Office, and other regulatory bodies, and will continue updating those affected as the investigation progresses.
The Information Commissioner’s Office confirmed the university had reported the incident and that it is currently reviewing the information provided.
What the Attackers Accessed
Carter outlined four categories of data that the university believes the attackers obtained. The first covers contact details, including names, email addresses, and postal addresses.
The second includes university-specific information such as course records and student and staff identification numbers. Financial records make up the third category. The fourth covers personal information, including national insurance numbers and protected characteristics such as ethnicity, disability status, and gender.
According to Carter, the university is still working to confirm the precise scope of what the attackers took, and will release further updates as its investigation produces clearer answers.
Breach Hits a University Already Under Pressure
The timing of the attack makes an already difficult situation considerably worse. Earlier this year, the University of Nottingham told 2,700 members of staff that their positions were at risk of redundancy, representing more than a third of its total workforce.
The university cited shifting demands in the higher education sector alongside serious financial pressures, and proposed cutting 609 full-time equivalent roles over the next three years.
Staff responded by launching a boycott of marking and assessments. The University and College Union warned that the action would effectively prevent the university from releasing graduation certificates to students.
For students like Abigail Maguire, the crisis cuts even deeper. Maguire told the BBC she feared the university’s plan to use her earlier grades to calculate her final degree result.
She explained that personal hardships during her second year, including the death of her brother and serious physical health problems, had pulled her grades down considerably. Her appeal to the university did not lead to a resit opportunity. She pushed through her third year and managed to average a first-class result.
According to Maguire, discovering the university might now disregard that performance entirely left her feeling that all of her hard work had been rendered worthless.
The University of Nottingham now faces two serious challenges at once: rebuilding trust with hundreds of thousands of people whose data it failed to protect, and resolving a labour dispute that has already thrown the academic year into uncertainty.
